diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index 8f952b6..6d5a063 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -84,6 +84,11 @@ "name": "webcam-automation", "source": "./plugins/webcam-automation", "description": "Webcam capture CLI tool for photographing paper notes" + }, + { + "name": "secrets-scanner", + "source": "./plugins/secrets-scanner", + "description": "Detect leaked secrets using gitleaks, git-secrets, and TruffleHog" } ] } diff --git a/plugins/secrets-scanner/.claude-plugin/plugin.json b/plugins/secrets-scanner/.claude-plugin/plugin.json new file mode 100644 index 0000000..e9ac903 --- /dev/null +++ b/plugins/secrets-scanner/.claude-plugin/plugin.json @@ -0,0 +1,6 @@ +{ + "name": "secrets-scanner", + "version": "1.0.0", + "description": "Detect leaked secrets and credentials using gitleaks, git-secrets, and trufflehog", + "author": "Val Redchenko" +} diff --git a/plugins/secrets-scanner/README.md b/plugins/secrets-scanner/README.md new file mode 100644 index 0000000..09fcb38 --- /dev/null +++ b/plugins/secrets-scanner/README.md @@ -0,0 +1,189 @@ +# Secrets Scanner Plugin + +Detect leaked secrets and credentials in your codebase using three industry-leading tools: **gitleaks**, **git-secrets**, and **TruffleHog**. + +## Overview + +This plugin provides comprehensive knowledge and capabilities for: +- Scanning repositories for leaked secrets locally +- Setting up CI/CD pipelines to guard against secret leaks +- Comparing and choosing the right tool for your needs +- Configuring custom detection rules and allowlists + +## Supported Tools + +| Tool | Maintainer | License | Key Feature | +|------|------------|---------|-------------| +| [gitleaks](https://github.com/gitleaks/gitleaks) | gitleaks | MIT | Highly customizable, SARIF output | +| [git-secrets](https://github.com/awslabs/git-secrets) | AWS Labs | Apache 2.0 | Native git hooks, AWS patterns | +| [TruffleHog](https://github.com/trufflesecurity/trufflehog) | TruffleSecurity | AGPL-3.0 | **Secret verification** (unique!) | + +## Commands + +| Command | Description | +|---------|-------------| +| `/secrets-scanner:scan-gitleaks` | Scan repository with gitleaks | +| `/secrets-scanner:scan-git-secrets` | Scan repository with git-secrets | +| `/secrets-scanner:scan-trufflehog` | Scan repository with TruffleHog | +| `/secrets-scanner:scan-all` | Scan with all three tools for maximum coverage | +| `/secrets-scanner:compare` | Compare tools to help choose the right one | +| `/secrets-scanner:ci-setup` | Set up GitHub Actions for secrets scanning | +| `/secrets-scanner:install` | Install the scanning tools | +| `/secrets-scanner:configure` | Configure custom rules and allowlists | + +## Quick Start + +### 1. Install a Tool + +```bash +# macOS (any tool) +brew install gitleaks git-secrets trufflehog + +# Or use the install command +/secrets-scanner:install +``` + +### 2. Scan Your Repository + +```bash +# Quick scan with gitleaks +gitleaks git -v + +# Scan with TruffleHog (only verified/active secrets) +trufflehog git file://. --only-verified + +# Scan with git-secrets (requires setup first) +git secrets --install && git secrets --register-aws +git secrets --scan +``` + +### 3. Set Up CI/CD + +Use `/secrets-scanner:ci-setup` to create a GitHub Actions workflow: + +```yaml +# .github/workflows/secrets-scan.yml +name: Secrets Scan +on: [push, pull_request] +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +``` + +## Tool Comparison + +### When to Use Each Tool + +| Use Case | Recommended Tool | +|----------|------------------| +| General CI/CD scanning | **gitleaks** | +| AWS-focused projects | **git-secrets** | +| Need to verify if secrets are active | **TruffleHog** | +| Pre-commit blocking | **git-secrets** | +| Custom detection rules | **gitleaks** | +| Scan cloud storage (S3, GCS) | **TruffleHog** | +| GitHub Security integration (SARIF) | **gitleaks** | + +### Feature Comparison + +| Feature | gitleaks | git-secrets | TruffleHog | +|---------|----------|-------------|------------| +| Secret Verification | No | No | **Yes** | +| Built-in Patterns | 100+ | AWS-focused | 800+ | +| Custom Rules | TOML | Git config | Limited | +| SARIF Output | Yes | No | No | +| Pre-commit Hook | Yes | Native | Manual | +| Cloud Scanning | No | No | Yes | +| Docker Scanning | No | No | Yes | + +## Documentation + +Detailed reference documentation for each tool is available in the `docs/` directory: + +- [gitleaks-reference.md](docs/gitleaks-reference.md) - Complete CLI reference +- [git-secrets-reference.md](docs/git-secrets-reference.md) - Complete CLI reference +- [trufflehog-reference.md](docs/trufflehog-reference.md) - Complete CLI reference + +## Recommended Security Strategy + +For maximum protection, use a layered approach: + +1. **Pre-commit** (Developer machine) + - Use **git-secrets** for blocking commits + - Or gitleaks pre-commit hook + +2. **CI/CD** (Pull requests) + - Use **gitleaks** with SARIF for GitHub Security tab + - Blocks merging PRs with detected secrets + +3. **Periodic Audits** (Scheduled) + - Use **TruffleHog** with `--only-verified` + - Find active credentials that need rotation + +## Configuration Examples + +### gitleaks (.gitleaks.toml) + +```toml +[extend] +useDefault = true + +[allowlist] +paths = ['''\.env\.example$''', '''test/.*'''] +``` + +### git-secrets + +```bash +git secrets --add 'my_pattern' +git secrets --add --allowed 'false_positive' +``` + +### TruffleHog + +```bash +# Exclude paths +echo "test/" > exclude.txt +trufflehog git file://. --exclude-paths=exclude.txt +``` + +## Resources + +### Repositories +- https://github.com/gitleaks/gitleaks +- https://github.com/awslabs/git-secrets +- https://github.com/trufflesecurity/trufflehog + +### Release Pages +- https://github.com/gitleaks/gitleaks/releases (v8.30.0) +- https://github.com/trufflesecurity/trufflehog/releases (v3.92.5) + +### GitHub Actions +- https://github.com/gitleaks/gitleaks-action +- https://github.com/trufflesecurity/trufflehog (action in repo) + +### Documentation +- https://gitleaks.io +- https://trufflesecurity.com/trufflehog + +## Version Information + +| Tool | Latest Version | Updated | +|------|----------------|---------| +| gitleaks | v8.30.0 | November 2025 | +| git-secrets | N/A | Ongoing | +| trufflehog | v3.92.5 | January 2025 | + +## License + +This plugin documentation is provided under MIT license. The individual tools have their own licenses: +- gitleaks: MIT +- git-secrets: Apache 2.0 +- TruffleHog: AGPL-3.0 diff --git a/plugins/secrets-scanner/commands/ci-setup.md b/plugins/secrets-scanner/commands/ci-setup.md new file mode 100644 index 0000000..82b3cbe --- /dev/null +++ b/plugins/secrets-scanner/commands/ci-setup.md @@ -0,0 +1,285 @@ +# Setup CI/CD for Secrets Scanning + +Configure GitHub Actions to automatically scan for leaked secrets on every push and PR. + +## Choose Your Approach + +1. **Gitleaks Action** (Recommended) - Official action, SARIF support +2. **TruffleHog Action** - Verification capability +3. **Multi-tool Setup** - Maximum coverage + +## Option 1: Gitleaks GitHub Action + +### Basic Setup + +Create `.github/workflows/secrets-scan.yml`: + +```yaml +name: Secrets Scan + +on: + push: + branches: [main, master] + pull_request: + branches: [main, master] + workflow_dispatch: + schedule: + - cron: '0 4 * * *' # Daily at 4 AM UTC + +jobs: + gitleaks: + name: Gitleaks Scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Full history for scanning + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +``` + +### With SARIF Upload (GitHub Security Tab) + +```yaml +name: Secrets Scan + +on: + push: + branches: [main, master] + pull_request: + workflow_dispatch: + +jobs: + gitleaks: + name: Gitleaks Scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif +``` + +### With Custom Configuration + +```yaml + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_CONFIG: .gitleaks.toml + GITLEAKS_ENABLE_COMMENTS: true +``` + +## Option 2: TruffleHog GitHub Action + +```yaml +name: TruffleHog Secrets Scan + +on: + push: + branches: [main, master] + pull_request: + workflow_dispatch: + +jobs: + trufflehog: + name: TruffleHog Scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: TruffleHog Scan + uses: trufflesecurity/trufflehog@main + with: + extra_args: --only-verified +``` + +### With Full Options + +```yaml + - name: TruffleHog Scan + uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: ${{ github.event.repository.default_branch }} + head: HEAD + extra_args: --results=verified,unknown +``` + +## Option 3: Multi-Tool Setup + +Maximum coverage with all three tools: + +```yaml +name: Comprehensive Secrets Scan + +on: + push: + branches: [main, master] + pull_request: + workflow_dispatch: + schedule: + - cron: '0 4 * * *' + +jobs: + gitleaks: + name: Gitleaks + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + trufflehog: + name: TruffleHog + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: trufflesecurity/trufflehog@main + with: + extra_args: --only-verified + + git-secrets: + name: git-secrets + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install git-secrets + run: | + git clone https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install + + - name: Configure git-secrets + run: | + git secrets --install + git secrets --register-aws + + - name: Scan for secrets + run: git secrets --scan +``` + +## Pre-commit Hook Setup + +For local development, add to `.pre-commit-config.yaml`: + +```yaml +repos: + - repo: https://github.com/gitleaks/gitleaks + rev: v8.30.0 + hooks: + - id: gitleaks +``` + +Install with: +```bash +pip install pre-commit +pre-commit install +``` + +## Baseline Configuration + +Create `.gitleaks.toml` for custom rules: + +```toml +title = "Project Gitleaks Config" + +[extend] +useDefault = true + +[allowlist] +description = "Allowed patterns" +paths = [ + '''\.env\.example$''', + '''test/fixtures/.*''', + '''.*_test\.go$''', + '''.*\.test\.js$''' +] + +# Block commits with these patterns +[[rules]] +id = "custom-internal-key" +description = "Internal API Key" +regex = '''INTERNAL_API_KEY\s*=\s*['"]?([a-zA-Z0-9]{32,})['"]?''' +keywords = ["INTERNAL_API_KEY"] +``` + +## Execution Steps + +1. Ask which approach the user prefers: + - Quick setup (Gitleaks only) + - Verified secrets (TruffleHog) + - Maximum coverage (all three) + +2. Create the workflow file: + - Check if `.github/workflows/` exists + - Create appropriate workflow YAML + +3. Optionally create configuration: + - `.gitleaks.toml` for custom rules + - `.pre-commit-config.yaml` for local hooks + +4. Provide testing instructions: + ```bash + # Test locally before committing + act -j gitleaks # if using 'act' for local GitHub Actions + # Or push to trigger workflow + ``` + +5. Explain next steps: + - Monitor Actions tab for results + - Check Security tab for SARIF findings (if enabled) + - Adjust allowlist for false positives + +## Branch Protection (Optional) + +Recommend enabling branch protection: + +1. Go to Settings > Branches > Add rule +2. Enable "Require status checks to pass" +3. Add the secrets scan job as required + +This prevents merging PRs that contain detected secrets. + +## Troubleshooting + +**"No secrets found" but known secrets exist:** +- Ensure `fetch-depth: 0` for full history +- Check if secrets are in allowlist +- Verify branch being scanned + +**Action fails on organization repos (Gitleaks):** +- Organizations need a free license from gitleaks.io +- Set `GITLEAKS_LICENSE` secret + +**Too many false positives:** +- Add patterns to allowlist +- Use `--only-verified` with TruffleHog +- Customize rules in `.gitleaks.toml` diff --git a/plugins/secrets-scanner/commands/compare.md b/plugins/secrets-scanner/commands/compare.md new file mode 100644 index 0000000..5603ddb --- /dev/null +++ b/plugins/secrets-scanner/commands/compare.md @@ -0,0 +1,148 @@ +# Compare Secrets Scanning Tools + +Provide a detailed comparison of gitleaks, git-secrets, and TruffleHog to help choose the right tool. + +## Quick Comparison Table + +| Feature | Gitleaks | git-secrets | TruffleHog | +|---------|----------|-------------|------------| +| **License** | MIT | Apache 2.0 | AGPL-3.0 | +| **Language** | Go | Bash | Go | +| **Secret Verification** | No | No | Yes (unique!) | +| **Built-in Patterns** | 100+ | AWS-focused | 800+ | +| **Custom Rules** | TOML config | Git config | Limited | +| **Pre-commit Hook** | Yes | Yes (native) | Manual | +| **GitHub Action** | Official | Community | Official | +| **SARIF Output** | Yes | No | No | +| **Git History Scan** | Yes | Yes | Yes | +| **Non-Git Scan** | Yes | Limited | Yes | +| **Cloud Source Scan** | No | No | Yes (S3, GCS) | +| **Docker Image Scan** | No | No | Yes | +| **Installation** | Single binary | make install | Single binary | +| **Active Development** | Very active | Moderate | Very active | +| **Latest Version** | v8.30.0 | N/A | v3.92.5 | + +## Detailed Comparison + +### Gitleaks + +**Best for:** General-purpose secret scanning with high customizability + +**Pros:** +- Extensive built-in rules for common secret types +- Highly customizable via TOML configuration +- Excellent CI/CD integration (GitHub Action, SARIF support) +- Composite rules for multi-part secrets (v8.28+) +- Baseline support for tracking new vs. known issues +- Active community and regular updates +- MIT license - most permissive + +**Cons:** +- No secret verification (can't confirm if secrets are active) +- Regex-based detection may miss encoded secrets +- Configuration can become complex for large rule sets + +**Ideal Use Cases:** +- CI/CD pipelines with GitHub Actions +- Organizations needing custom detection rules +- Projects requiring SARIF integration with GitHub Security + +### git-secrets + +**Best for:** AWS-focused projects, simple pattern blocking + +**Pros:** +- Native git hook integration (blocks commits) +- Pre-configured AWS credential patterns +- Lightweight, shell-based (minimal dependencies) +- Template support for organization-wide deployment +- Works offline without external dependencies + +**Cons:** +- AWS-focused, limited built-in patterns for other services +- Requires manual setup per repository +- No verification of found secrets +- Pattern management can be cumbersome at scale +- Less active development than alternatives + +**Ideal Use Cases:** +- AWS-heavy environments +- Teams wanting commit-time blocking +- Environments with limited tooling (shell-based) + +### TruffleHog + +**Best for:** Comprehensive scanning with verification, cloud sources + +**Pros:** +- **Secret verification** - confirms if credentials are active (unique!) +- 800+ detector types for various services +- Scans cloud sources (S3, GCS, GitHub orgs) +- Docker image scanning capability +- High accuracy due to verification +- Enterprise version available + +**Cons:** +- AGPL license may be restrictive for some organizations +- Verification requires network access +- Less customizable than gitleaks +- Verification can slow down scans + +**Ideal Use Cases:** +- Incident response (need to know which secrets are active) +- Organizations with cloud storage to scan +- Teams needing highest accuracy (verified results) + +## Recommendation Matrix + +| Scenario | Recommended Tool | +|----------|------------------| +| Quick CI/CD setup | Gitleaks | +| AWS-centric project | git-secrets | +| Need to verify active secrets | TruffleHog | +| Custom detection rules needed | Gitleaks | +| Pre-commit blocking | git-secrets | +| Scan S3/GCS buckets | TruffleHog | +| GitHub Security integration | Gitleaks (SARIF) | +| Minimal dependencies | git-secrets | +| Docker image scanning | TruffleHog | +| Enterprise with support | TruffleHog Enterprise | + +## Combined Strategy Recommendation + +For maximum security, consider a layered approach: + +1. **Pre-commit**: git-secrets (blocks commits with secrets) +2. **CI/CD**: Gitleaks (comprehensive scan with SARIF) +3. **Periodic Audit**: TruffleHog (verification of active secrets) + +## Execution Steps + +When user asks for comparison: + +1. Present the quick comparison table +2. Ask about their specific needs: + - Primary cloud provider (AWS, GCP, Azure)? + - Need for secret verification? + - CI/CD platform in use? + - License restrictions? +3. Provide tailored recommendation based on needs +4. Offer to help install and configure the recommended tool(s) + +## Resource Links + +### Gitleaks +- Repository: https://github.com/gitleaks/gitleaks +- Releases: https://github.com/gitleaks/gitleaks/releases +- Documentation: https://gitleaks.io +- GitHub Action: https://github.com/gitleaks/gitleaks-action + +### git-secrets +- Repository: https://github.com/awslabs/git-secrets +- AWS Security Blog: Search "git-secrets" on aws.amazon.com/blogs/security + +### TruffleHog +- Repository: https://github.com/trufflesecurity/trufflehog +- Releases: https://github.com/trufflesecurity/trufflehog/releases +- Documentation: https://trufflesecurity.com/trufflehog +- Enterprise: https://trufflesecurity.com diff --git a/plugins/secrets-scanner/commands/configure.md b/plugins/secrets-scanner/commands/configure.md new file mode 100644 index 0000000..018c1d7 --- /dev/null +++ b/plugins/secrets-scanner/commands/configure.md @@ -0,0 +1,288 @@ +# Configure Secrets Scanning Tools + +Set up custom configuration for gitleaks, git-secrets, and TruffleHog. + +## Gitleaks Configuration + +Gitleaks uses TOML configuration files. + +### Configuration Precedence +1. `--config` CLI flag +2. `GITLEAKS_CONFIG` environment variable (file path) +3. `GITLEAKS_CONFIG_TOML` environment variable (content) +4. `.gitleaks.toml` in repository root +5. Built-in default rules + +### Create .gitleaks.toml + +```toml +# .gitleaks.toml +title = "Custom Gitleaks Configuration" + +# Extend default rules (recommended) +[extend] +useDefault = true + +# Global allowlist - applies to all rules +[allowlist] +description = "Global allowlist" +paths = [ + # Test files + '''test/.*''', + '''.*_test\.go$''', + '''.*\.test\.[jt]sx?$''', + '''.*\.spec\.[jt]sx?$''', + + # Example/template files + '''\.env\.example$''', + '''\.env\.sample$''', + '''\.env\.template$''', + + # Documentation + '''docs/.*''', + '''.*\.md$''', + + # Lock files + '''package-lock\.json$''', + '''yarn\.lock$''', + '''pnpm-lock\.yaml$''', + '''Gemfile\.lock$''', + '''poetry\.lock$''' +] + +# Specific commits to ignore +commits = [ + "abc1234567890", # Known false positive commit +] + +# Regex patterns to ignore +regexes = [ + '''EXAMPLE_.*''', + '''PLACEHOLDER_.*''', +] + +# Custom rules +[[rules]] +id = "internal-api-key" +description = "Internal API Key" +regex = '''(?i)INTERNAL[_-]?API[_-]?KEY\s*[:=]\s*['"]?([A-Za-z0-9_-]{32,})['"]?''' +keywords = ["internal", "api", "key"] +entropy = 3.5 + +[[rules]] +id = "custom-database-url" +description = "Database Connection String" +regex = '''(?i)(postgres|mysql|mongodb)://[^:]+:[^@]+@[^\s'"]+''' +keywords = ["postgres", "mysql", "mongodb"] + +# Rule-specific allowlist +[[rules]] +id = "generic-api-key" +description = "Generic API Key" +regex = '''(?i)api[_-]?key\s*[:=]\s*['"]?([A-Za-z0-9_-]{20,})['"]?''' +keywords = ["api_key", "apikey"] + + [rules.allowlist] + paths = ['''config/.*\.example\..*'''] + regexes = ['''test_api_key''', '''dummy_api_key'''] +``` + +### Advanced: Composite Rules (v8.28+) + +```toml +# Primary rule +[[rules]] +id = "aws-credentials-composite" +description = "AWS Access Key with Secret Key in proximity" +regex = '''AKIA[0-9A-Z]{16}''' +keywords = ["AKIA"] + +# Auxiliary rule linked to primary +[[rules]] +id = "aws-secret-key" +description = "AWS Secret Key (auxiliary)" +regex = '''(?i)aws[_-]?secret[_-]?access[_-]?key\s*[:=]\s*['"]?([A-Za-z0-9/+=]{40})['"]?''' +keywords = ["aws", "secret"] + [rules.composite] + primaryRule = "aws-credentials-composite" + withinLines = 5 # Must appear within 5 lines of primary +``` + +--- + +## git-secrets Configuration + +git-secrets uses git config for pattern storage. + +### Add Prohibited Patterns + +```bash +# Add to current repository +git secrets --add 'password\s*=\s*['\''"][^'\''"]+['\''"]' +git secrets --add 'PRIVATE[_-]?KEY' +git secrets --add 'BEGIN RSA PRIVATE KEY' + +# Add globally (all repositories) +git secrets --add --global 'my_company_[a-zA-Z0-9]{32}' +``` + +### Add Allowed Patterns (Whitelist) + +```bash +# Whitelist example values +git secrets --add --allowed 'AKIAIOSFODNN7EXAMPLE' +git secrets --add --allowed 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY' + +# Whitelist test files +git secrets --add --allowed '.*\.test\.[jt]s$' +git secrets --add --allowed 'test/.*' +``` + +### Add Literal Strings (Not Regex) + +```bash +git secrets --add --literal 'sk_test_1234567890abcdef' +``` + +### View Current Configuration + +```bash +# List all patterns +git secrets --list + +# View in git config +git config --get-all secrets.patterns +git config --get-all secrets.allowed +git config --get-all secrets.providers +``` + +### Provider Scripts + +```bash +# Add a script that outputs patterns +git secrets --add-provider -- cat /path/to/patterns.txt + +# Add inline command +git secrets --add-provider -- 'echo "my_secret_pattern"' +``` + +### Remove Patterns + +```bash +# Edit git config directly +git config --unset secrets.patterns 'pattern_to_remove' +git config --unset-all secrets.patterns # Remove all +``` + +--- + +## TruffleHog Configuration + +TruffleHog has limited configuration but supports path exclusions. + +### Exclude Paths File + +Create `trufflehog-exclude.txt`: +``` +# Patterns to exclude (one per line) +test/ +*.test.js +*.spec.ts +.env.example +node_modules/ +vendor/ +docs/ +``` + +Use with: +```bash +trufflehog git file://. --exclude-paths=trufflehog-exclude.txt +``` + +### Include Paths File + +Create `trufflehog-include.txt`: +``` +# Only scan these paths +src/ +config/ +.env +``` + +Use with: +```bash +trufflehog git file://. --include-paths=trufflehog-include.txt +``` + +### Environment Variables + +```bash +# For GitHub scanning +export GITHUB_TOKEN="your_token" +trufflehog github --org=your-org + +# For S3 scanning (uses AWS credentials) +export AWS_ACCESS_KEY_ID="..." +export AWS_SECRET_ACCESS_KEY="..." +trufflehog s3 --bucket=your-bucket +``` + +--- + +## Execution Steps + +1. Ask which tool(s) to configure +2. Determine configuration needs: + - Custom patterns to detect + - Paths/patterns to exclude + - Existing false positives to whitelist +3. Create appropriate configuration files: + - `.gitleaks.toml` for gitleaks + - git config entries for git-secrets + - Exclude/include files for TruffleHog +4. Test configuration: + ```bash + # Gitleaks + gitleaks git -v --config .gitleaks.toml + + # git-secrets + git secrets --scan + + # TruffleHog + trufflehog git file://. --exclude-paths=trufflehog-exclude.txt + ``` +5. Commit configuration files to repository + +## Common Configuration Scenarios + +### Ignore Test Files +```toml +# .gitleaks.toml +[allowlist] +paths = ['''test/.*''', '''.*_test\.go$''', '''.*\.test\.js$'''] +``` + +### AWS-Heavy Project +```bash +# git-secrets +git secrets --register-aws +git secrets --add --allowed 'AKIAIOSFODNN7EXAMPLE' +``` + +### Monorepo with Multiple Projects +```toml +# .gitleaks.toml +[[rules]] +id = "project-a-key" +description = "Project A API Key" +regex = '''PROJECT_A_KEY=([a-zA-Z0-9]{32})''' +paths = ["project-a/.*"] # Only scan project-a directory +``` + +### High-Sensitivity Scan +```bash +# Combine tools for maximum coverage +gitleaks git -v --config .gitleaks.toml +trufflehog git file://. --only-verified +git secrets --scan-history +``` diff --git a/plugins/secrets-scanner/commands/install.md b/plugins/secrets-scanner/commands/install.md new file mode 100644 index 0000000..78666c3 --- /dev/null +++ b/plugins/secrets-scanner/commands/install.md @@ -0,0 +1,197 @@ +# Install Secrets Scanning Tools + +Install gitleaks, git-secrets, and/or TruffleHog on the local development machine. + +## Quick Install Commands + +### All Three Tools (macOS with Homebrew) +```bash +brew install gitleaks git-secrets trufflehog +``` + +### All Three Tools (Linux) +```bash +# Gitleaks +curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks + +# git-secrets +git clone https://github.com/awslabs/git-secrets.git && cd git-secrets && sudo make install && cd .. && rm -rf git-secrets + +# TruffleHog +curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin +``` + +--- + +## Gitleaks Installation + +### macOS (Homebrew) +```bash +brew install gitleaks +``` + +### Linux (Binary) +```bash +# Download latest release +GITLEAKS_VERSION="8.30.0" +curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz -C /usr/local/bin gitleaks +chmod +x /usr/local/bin/gitleaks +``` + +### Docker +```bash +docker pull zricethezav/gitleaks:latest +# Usage: docker run --rm -v "$(pwd):/repo" zricethezav/gitleaks:latest git -v -s /repo +``` + +### From Source (requires Go 1.22+) +```bash +git clone https://github.com/gitleaks/gitleaks.git +cd gitleaks +make build +sudo mv gitleaks /usr/local/bin/ +``` + +### Verify Installation +```bash +gitleaks version +``` + +--- + +## git-secrets Installation + +### macOS (Homebrew) +```bash +brew install git-secrets +``` + +### Linux/macOS (From Source) +```bash +git clone https://github.com/awslabs/git-secrets.git +cd git-secrets +sudo make install +cd .. +rm -rf git-secrets +``` + +### Windows (PowerShell) +```powershell +git clone https://github.com/awslabs/git-secrets.git +cd git-secrets +./install.ps1 +``` + +### Post-Install Setup (Required) +```bash +# Initialize in current repository +git secrets --install + +# Register AWS patterns +git secrets --register-aws + +# Optional: Set up for all new repos +git secrets --install ~/.git-templates/git-secrets +git config --global init.templateDir ~/.git-templates/git-secrets +``` + +### Verify Installation +```bash +git secrets --list +``` + +--- + +## TruffleHog Installation + +### macOS (Homebrew) +```bash +brew install trufflehog +``` + +### Linux/macOS (Install Script) +```bash +curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin +``` + +### Linux (Binary) +```bash +TRUFFLEHOG_VERSION="3.92.5" +curl -sSfL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" | tar -xz -C /usr/local/bin trufflehog +chmod +x /usr/local/bin/trufflehog +``` + +### Docker +```bash +docker pull trufflesecurity/trufflehog:latest +# Usage: docker run --rm -v "$(pwd):/repo" trufflesecurity/trufflehog:latest git file:///repo +``` + +### From Source (requires Go) +```bash +git clone https://github.com/trufflesecurity/trufflehog.git +cd trufflehog +go install +``` + +### Verify Installation +```bash +trufflehog --version +``` + +--- + +## Execution Steps + +1. Detect the operating system: + ```bash + uname -s # Darwin for macOS, Linux for Linux + ``` + +2. Check for existing installations: + ```bash + which gitleaks git-secrets trufflehog 2>/dev/null + ``` + +3. Check for package managers: + ```bash + which brew apt yum dnf 2>/dev/null + ``` + +4. Based on OS and available package managers, present options: + - macOS: Prefer Homebrew + - Linux: Prefer binary downloads or install scripts + - Either: Offer Docker as alternative + +5. Install requested tools and verify + +6. For git-secrets, remind about per-repo setup: + ```bash + git secrets --install + git secrets --register-aws + ``` + +## Version Information + +| Tool | Latest Version | Release Page | +|------|----------------|--------------| +| gitleaks | v8.30.0 | https://github.com/gitleaks/gitleaks/releases | +| git-secrets | N/A | https://github.com/awslabs/git-secrets | +| trufflehog | v3.92.5 | https://github.com/trufflesecurity/trufflehog/releases | + +## Troubleshooting + +**"Permission denied" during install:** +- Use `sudo` for `/usr/local/bin` installations +- Or install to user directory: `~/.local/bin` + +**Homebrew not found:** +- Install: `/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"` + +**Docker permission issues:** +- Add user to docker group: `sudo usermod -aG docker $USER` +- Or use: `sudo docker ...` + +**PATH issues after install:** +- Add to ~/.bashrc or ~/.zshrc: `export PATH="/usr/local/bin:$PATH"` +- Reload: `source ~/.bashrc` diff --git a/plugins/secrets-scanner/commands/scan-all.md b/plugins/secrets-scanner/commands/scan-all.md new file mode 100644 index 0000000..4eb4b66 --- /dev/null +++ b/plugins/secrets-scanner/commands/scan-all.md @@ -0,0 +1,107 @@ +# Scan Repository with All Three Tools + +Run a comprehensive secrets scan using gitleaks, git-secrets, and TruffleHog. + +## Purpose + +Running all three scanners provides: +- Maximum coverage - each tool has different detection patterns +- Cross-validation - secrets found by multiple tools are high confidence +- Comparison - see which tool performs best for your codebase + +## Prerequisites + +Check which tools are available: +```bash +echo "=== Checking installed tools ===" +echo -n "gitleaks: "; gitleaks version 2>/dev/null || echo "NOT INSTALLED" +echo -n "git-secrets: "; git secrets 2>&1 | grep -q "usage" && echo "installed" || echo "NOT INSTALLED" +echo -n "trufflehog: "; trufflehog --version 2>/dev/null || echo "NOT INSTALLED" +``` + +## Scan Execution + +### 1. Gitleaks Scan +```bash +echo "=== Running Gitleaks ===" +gitleaks git -v --report-format json --report-path gitleaks-results.json 2>&1 +echo "Results saved to: gitleaks-results.json" +``` + +### 2. git-secrets Scan +```bash +echo "=== Running git-secrets ===" +# Ensure hooks are installed +git secrets --install 2>/dev/null || true +git secrets --register-aws 2>/dev/null || true + +# Run scan +git secrets --scan 2>&1 | tee git-secrets-results.txt +echo "Results saved to: git-secrets-results.txt" +``` + +### 3. TruffleHog Scan +```bash +echo "=== Running TruffleHog ===" +trufflehog git file://. --json > trufflehog-results.json 2>&1 +echo "Results saved to: trufflehog-results.json" +``` + +## Combined Results Analysis + +After running all three scans: + +1. **Count findings per tool**: + ```bash + echo "=== Summary ===" + echo "Gitleaks findings: $(cat gitleaks-results.json 2>/dev/null | grep -c '"RuleID"' || echo 0)" + echo "TruffleHog findings: $(cat trufflehog-results.json 2>/dev/null | grep -c '"DetectorName"' || echo 0)" + echo "git-secrets: $(wc -l < git-secrets-results.txt 2>/dev/null || echo 0) lines of output" + ``` + +2. **Cross-reference findings**: + - Compare file paths across all three reports + - Secrets found by 2+ tools are high confidence + - Unique findings may be tool-specific patterns or false positives + +3. **Priority order**: + 1. TruffleHog verified secrets (confirmed active) + 2. Secrets found by multiple tools + 3. Single-tool findings (investigate individually) + +## Execution Steps + +1. Check which tools are installed +2. Offer to install missing tools (user choice) +3. Run available tools sequentially, saving reports +4. Parse and combine results +5. Present unified findings with: + - Source tool(s) for each finding + - File path and line number + - Secret type/category + - Verification status (if TruffleHog) +6. Recommend remediation based on finding severity + +## Cleanup + +After addressing findings: +```bash +rm -f gitleaks-results.json git-secrets-results.txt trufflehog-results.json +``` + +## Output Format Recommendation + +Present combined results in a table: + +| File | Line | Type | Tools | Verified | Priority | +|------|------|------|-------|----------|----------| +| config.js | 42 | AWS Key | gitleaks, trufflehog | Yes | CRITICAL | +| .env | 15 | API Token | gitleaks | N/A | HIGH | +| test.py | 100 | Password | git-secrets | N/A | MEDIUM | + +## Notes + +- Running all three tools may take longer on large repositories +- Each tool has different default patterns and detection methods +- Consider setting up CI to run at least one tool automatically +- Use `--only-verified` with TruffleHog for quick critical-only scan diff --git a/plugins/secrets-scanner/commands/scan-git-secrets.md b/plugins/secrets-scanner/commands/scan-git-secrets.md new file mode 100644 index 0000000..c6d3369 --- /dev/null +++ b/plugins/secrets-scanner/commands/scan-git-secrets.md @@ -0,0 +1,152 @@ +# Scan Repository with git-secrets + +Scan the current repository for leaked secrets using AWS git-secrets. + +## Prerequisites Check + +1. Check if git-secrets is installed: + ```bash + git secrets --version 2>/dev/null || git secrets 2>&1 | head -5 + ``` + +2. If not installed, offer installation options: + - **macOS (Homebrew)**: `brew install git-secrets` + - **Linux/macOS (from source)**: + ```bash + git clone https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install + ``` + - **Windows**: Download and run `install.ps1` + +## Initial Setup (Required Once Per Repo) + +git-secrets requires explicit installation in each repository: + +```bash +# Install hooks in current repo +git secrets --install + +# Register AWS patterns (highly recommended) +git secrets --register-aws +``` + +## Scanning Options + +### Scan Staged Files +```bash +git secrets --scan +``` + +### Scan Specific Files +```bash +git secrets --scan path/to/file1 path/to/file2 +``` + +### Scan Directory Recursively +```bash +git secrets --scan -r /path/to/directory +``` + +### Scan Entire Git History +```bash +git secrets --scan-history +``` + +### List Current Patterns +```bash +git secrets --list +``` + +## Configuration + +### Add Custom Prohibited Patterns +```bash +# Add pattern locally (current repo) +git secrets --add 'PRIVATE[_-]?KEY' + +# Add pattern globally (all repos) +git secrets --add --global 'my_company_api_[a-zA-Z0-9]{32}' +``` + +### Add Allowed Patterns (Whitelist) +```bash +# Allow specific false positive pattern +git secrets --add --allowed 'AKIAIOSFODNN7EXAMPLE' + +# Allow example files +git secrets --add --allowed '\.example$' +``` + +### Add Literal Strings (Not Regex) +```bash +git secrets --add --literal 'MySpecificSecretValue' +``` + +### Custom Providers +```bash +# Add provider script that outputs patterns +git secrets --add-provider -- cat /path/to/secret-patterns.txt +``` + +## Pattern Storage + +Patterns are stored in git config: +- **Local**: `.git/config` +- **Global**: `~/.gitconfig` + +View with: +```bash +git config --get-all secrets.patterns +git config --get-all secrets.allowed +``` + +## AWS-Specific Patterns + +After `--register-aws`, these patterns are active: +- AWS Access Key IDs: `(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}` +- AWS Secret Access Keys +- AWS account IDs +- Credential file patterns + +## Template Setup (New Repos) + +Set up git-secrets to auto-install in new repos: +```bash +git secrets --install ~/.git-templates/git-secrets +git config --global init.templateDir ~/.git-templates/git-secrets +``` + +## Key Commands Reference + +| Command | Description | +|---------|-------------| +| `--install` | Install git hooks in current repo | +| `--scan` | Scan files for secrets | +| `--scan-history` | Scan entire git history | +| `--list` | Show all configured patterns | +| `--add ` | Add prohibited pattern | +| `--add --allowed ` | Add allowed pattern | +| `--add --literal ` | Add literal match | +| `--register-aws` | Enable AWS credential patterns | +| `--add-provider` | Add custom pattern provider | + +## Execution Steps + +1. Verify git-secrets is installed +2. Check if hooks are installed in the repository (`ls .git/hooks/pre-commit`) +3. If not installed, run `git secrets --install` and `git secrets --register-aws` +4. Run the appropriate scan command based on user needs +5. Present findings clearly with file locations and matched patterns +6. For any secrets found: + - Identify the type of secret (AWS key, API token, etc.) + - Recommend immediate credential rotation + - Add to allowed patterns if false positive + - Consider scanning history if current scan found issues + +## Limitations + +- Pattern-based detection may miss some secrets +- Requires manual setup per repository (or template config) +- Cannot detect encoded or obfuscated secrets +- Should be used alongside other security practices diff --git a/plugins/secrets-scanner/commands/scan-gitleaks.md b/plugins/secrets-scanner/commands/scan-gitleaks.md new file mode 100644 index 0000000..17c8a7f --- /dev/null +++ b/plugins/secrets-scanner/commands/scan-gitleaks.md @@ -0,0 +1,107 @@ +# Scan Repository with Gitleaks + +Scan the current repository for leaked secrets using gitleaks. + +## Prerequisites Check + +1. Check if gitleaks is installed: + ```bash + gitleaks version + ``` + +2. If not installed, offer installation options: + - **macOS (Homebrew)**: `brew install gitleaks` + - **Docker**: `docker pull zricethezav/gitleaks:latest` + - **Binary**: Download from https://github.com/gitleaks/gitleaks/releases + +## Scanning Options + +### Basic Scan (Current Directory) +```bash +gitleaks git -v +``` + +### Scan Specific Directory +```bash +gitleaks dir -v /path/to/directory +``` + +### Scan Git History +```bash +gitleaks git -v --log-opts="--all" +``` + +### Generate JSON Report +```bash +gitleaks git -v --report-format json --report-path gitleaks-report.json +``` + +### Generate SARIF Report (for GitHub Security tab) +```bash +gitleaks git -v --report-format sarif --report-path gitleaks-report.sarif +``` + +### Scan with Baseline (only new findings) +```bash +# First create baseline +gitleaks git --report-path baseline.json + +# Then compare against it +gitleaks git --baseline-path baseline.json --report-path new-findings.json +``` + +## Configuration + +Gitleaks looks for configuration in this order: +1. `--config` CLI flag +2. `GITLEAKS_CONFIG` environment variable (path) +3. `GITLEAKS_CONFIG_TOML` environment variable (content) +4. `.gitleaks.toml` in target directory +5. Built-in default rules + +### Example .gitleaks.toml +```toml +title = "Custom Gitleaks Config" + +[extend] +useDefault = true + +[[rules]] +id = "custom-api-key" +description = "Custom API Key" +regex = '''(?i)my_api_key\s*=\s*['"]?([a-zA-Z0-9]{32,})['"]?''' +keywords = ["my_api_key"] + +[allowlist] +paths = [ + '''\.env\.example$''', + '''test/.*''', + '''.*_test\.go$''' +] +``` + +## Key Flags Reference + +| Flag | Description | +|------|-------------| +| `-v, --verbose` | Show detailed output | +| `-c, --config` | Custom config file path | +| `-f, --report-format` | Output format (json, csv, junit, sarif) | +| `-r, --report-path` | Save report to file | +| `-b, --baseline-path` | Compare against baseline | +| `--redact` | Redact secrets in output (0-100) | +| `--exit-code` | Exit code when secrets found (default: 1) | +| `--no-git` | Treat as plain directory | +| `-l, --log-level` | Log level (trace, debug, info, warn, error) | + +## Execution Steps + +1. Verify gitleaks is installed and accessible +2. Check if `.gitleaks.toml` exists in the repository for custom configuration +3. Run the scan based on user requirements (basic, with history, with report) +4. Parse and present findings clearly +5. Suggest remediation for any secrets found +6. If secrets found, recommend: + - Rotating compromised credentials immediately + - Adding patterns to `.gitleaks.toml` allowlist if false positives + - Setting up pre-commit hooks to prevent future leaks diff --git a/plugins/secrets-scanner/commands/scan-trufflehog.md b/plugins/secrets-scanner/commands/scan-trufflehog.md new file mode 100644 index 0000000..34eefeb --- /dev/null +++ b/plugins/secrets-scanner/commands/scan-trufflehog.md @@ -0,0 +1,180 @@ +# Scan Repository with TruffleHog + +Scan the current repository for leaked secrets using TruffleHog. + +## Prerequisites Check + +1. Check if trufflehog is installed: + ```bash + trufflehog --version + ``` + +2. If not installed, offer installation options: + - **macOS (Homebrew)**: `brew install trufflehog` + - **Docker**: `docker pull trufflesecurity/trufflehog:latest` + - **Binary**: Download from https://github.com/trufflesecurity/trufflehog/releases + - **Install script**: + ```bash + curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin + ``` + +## Scanning Options + +### Scan Local Git Repository +```bash +trufflehog git file://. --json +``` + +### Scan with Only Verified Secrets +```bash +trufflehog git file://. --only-verified +``` + +### Scan Remote Repository +```bash +trufflehog git https://github.com/owner/repo.git +``` + +### Scan Specific Branch +```bash +trufflehog git file://. --branch main +``` + +### Scan Since Specific Commit +```bash +trufflehog git file://. --since-commit abc1234 +``` + +### Scan Directory (Non-Git) +```bash +trufflehog filesystem /path/to/directory +``` + +### Scan GitHub Organization +```bash +trufflehog github --org=organization-name --token=$GITHUB_TOKEN +``` + +### Scan S3 Bucket +```bash +trufflehog s3 --bucket=bucket-name +``` + +### Scan Docker Image +```bash +trufflehog docker --image=registry/image:tag +``` + +## Output Options + +### JSON Output (Recommended for CI) +```bash +trufflehog git file://. --json > trufflehog-report.json +``` + +### Only Show Verified Secrets +```bash +trufflehog git file://. --only-verified +``` + +### Results Filter Options +```bash +# Only verified secrets +trufflehog git file://. --results=verified + +# Verified + unknown (high confidence) +trufflehog git file://. --results=verified,unknown +``` + +### CI/CD Exit Code +```bash +# Exit with code 183 if secrets found +trufflehog git file://. --fail +``` + +## Advanced Options + +### Exclude Paths +```bash +trufflehog git file://. --exclude-paths=exclude-patterns.txt +``` + +### Include Paths +```bash +trufflehog git file://. --include-paths=include-patterns.txt +``` + +### Concurrency +```bash +trufflehog git file://. --concurrency=10 +``` + +### Scan GitHub Issues/PRs +```bash +trufflehog github --repo=owner/repo --issue-comments --pr-comments --token=$GITHUB_TOKEN +``` + +## Supported Secret Types + +TruffleHog can detect 800+ secret types including: +- AWS credentials (Access Keys, Secret Keys) +- GCP service account keys +- Azure credentials +- GitHub tokens +- Slack tokens +- Stripe API keys +- Database connection strings +- Private keys (RSA, SSH, PGP) +- API keys for hundreds of services + +## Verification Feature + +TruffleHog can **verify** if discovered secrets are still active by: +1. Testing against the service's API +2. Checking if credentials authenticate successfully +3. Reporting verification status (verified/unverified) + +This is a unique feature that distinguishes TruffleHog from pattern-only scanners. + +## Key Flags Reference + +| Flag | Description | +|------|-------------| +| `--json` | Output as JSON | +| `--only-verified` | Only show verified (active) secrets | +| `--results` | Filter results (verified, unknown, unverified) | +| `--fail` | Exit code 183 if secrets found | +| `--branch` | Scan specific branch | +| `--since-commit` | Scan since commit | +| `--exclude-paths` | File with paths to exclude | +| `--include-paths` | File with paths to include | +| `--concurrency` | Number of concurrent workers | +| `--no-verification` | Disable secret verification | + +## Execution Steps + +1. Verify trufflehog is installed +2. Determine the scan target (local repo, remote, filesystem) +3. Choose appropriate scan mode: + - Quick scan: `--only-verified` for confirmed active secrets + - Full scan: Default for all potential secrets +4. Run the scan with JSON output for detailed analysis +5. Parse and present findings, highlighting: + - Verified secrets (highest priority - currently active!) + - Unknown verification status + - Unverified secrets (may be false positives or rotated) +6. For verified secrets: + - URGENT: These are confirmed active credentials + - Rotate immediately + - Check for unauthorized access + - Review access logs + +## Docker Usage + +```bash +# Scan current directory +docker run --rm -v "$(pwd):/repo" trufflesecurity/trufflehog:latest git file:///repo + +# Scan with verification +docker run --rm -v "$(pwd):/repo" trufflesecurity/trufflehog:latest git file:///repo --only-verified +``` diff --git a/plugins/secrets-scanner/docs/git-secrets-reference.md b/plugins/secrets-scanner/docs/git-secrets-reference.md new file mode 100644 index 0000000..b23fc2d --- /dev/null +++ b/plugins/secrets-scanner/docs/git-secrets-reference.md @@ -0,0 +1,263 @@ +# git-secrets CLI Reference + +> Source: https://github.com/awslabs/git-secrets +> Maintainer: AWS Labs +> License: Apache 2.0 + +## Overview + +git-secrets prevents committing secrets and credentials into git repositories. It installs git hooks that scan commits, commit messages, and merges for prohibited patterns. + +## Installation + +```bash +# macOS +brew install git-secrets + +# Linux/macOS from source +git clone https://github.com/awslabs/git-secrets.git +cd git-secrets +sudo make install + +# Windows (PowerShell) +git clone https://github.com/awslabs/git-secrets.git +cd git-secrets +./install.ps1 +``` + +## Initial Setup (Required) + +```bash +# Install hooks in current repository +git secrets --install + +# Register AWS patterns +git secrets --register-aws +``` + +## Commands + +### --install + +Install git hooks into a repository. + +```bash +git secrets --install [] +``` + +**Options:** +- `-f, --force` - Overwrite existing hooks + +### --scan + +Scan files for secrets. + +```bash +git secrets --scan [options] [...] +``` + +**Options:** +- `-r, --recursive` - Scan directories recursively +- `--cached` - Scan staged changes +- `--no-index` - Scan untracked files +- `--untracked` - Scan untracked files + +### --scan-history + +Scan entire git history for secrets. + +```bash +git secrets --scan-history +``` + +### --list + +List all registered patterns. + +```bash +git secrets --list +``` + +### --add + +Add a prohibited pattern. + +```bash +git secrets --add [options] +``` + +**Options:** +- `--global` - Add to global config +- `--literal` - Treat pattern as literal string (not regex) +- `--allowed` - Add as allowed pattern (whitelist) + +### --add-provider + +Add a secret provider (script that outputs patterns). + +```bash +git secrets --add-provider -- +``` + +### --register-aws + +Register AWS credential patterns. + +```bash +git secrets --register-aws [--global] +``` + +### --aws-provider + +Output AWS credential patterns (used as a provider). + +```bash +git secrets --aws-provider +``` + +## Pattern Management + +### Add Prohibited Pattern +```bash +# Local (current repo) +git secrets --add 'password\s*=\s*['\''"]' + +# Global (all repos) +git secrets --add --global 'PRIVATE[_-]?KEY' +``` + +### Add Allowed Pattern (Whitelist) +```bash +# Allow example credentials +git secrets --add --allowed 'AKIAIOSFODNN7EXAMPLE' + +# Allow test files +git secrets --add --allowed '\.test\.[jt]s$' +``` + +### Add Literal String +```bash +git secrets --add --literal 'sk_test_abc123' +``` + +### Remove Patterns +```bash +# Edit git config directly +git config --unset secrets.patterns '' +``` + +## AWS Patterns + +After `--register-aws`, these patterns are active: + +``` +# Access Key ID +(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16} + +# Secret patterns from aws-provider +``` + +## Configuration Storage + +Patterns are stored in git config: + +```bash +# View patterns +git config --get-all secrets.patterns + +# View allowed +git config --get-all secrets.allowed + +# View providers +git config --get-all secrets.providers +``` + +## Template Setup (Auto-Install in New Repos) + +```bash +# Create template directory +git secrets --install ~/.git-templates/git-secrets + +# Set as default template +git config --global init.templateDir ~/.git-templates/git-secrets + +# Now all new repos will have git-secrets hooks +``` + +## Common Usage Examples + +```bash +# Initial setup +git secrets --install +git secrets --register-aws + +# Scan current directory +git secrets --scan + +# Scan specific files +git secrets --scan config.js .env + +# Scan recursively +git secrets --scan -r src/ + +# Scan entire history +git secrets --scan-history + +# Add custom pattern +git secrets --add 'my_company_key_[a-z0-9]{32}' + +# Allow false positive +git secrets --add --allowed 'example_api_key_12345' + +# List all patterns +git secrets --list +``` + +## Git Hooks Installed + +- `pre-commit` - Scans staged changes before commit +- `commit-msg` - Scans commit message +- `prepare-commit-msg` - Validates merge commits + +## Bypassing (Emergency Only) + +```bash +# Skip hooks for single commit (NOT RECOMMENDED) +git commit --no-verify -m "message" +``` + +## Integration with CI + +```yaml +# GitHub Actions example +jobs: + secrets-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install git-secrets + run: | + git clone https://github.com/awslabs/git-secrets.git + cd git-secrets && sudo make install + + - name: Scan for secrets + run: | + git secrets --install + git secrets --register-aws + git secrets --scan +``` + +## Limitations + +- Pattern-based detection (regex), may miss obfuscated secrets +- Requires manual setup per repository (unless using templates) +- AWS-focused, limited built-in patterns for other services +- Cannot verify if found secrets are active + +## Resources + +- Repository: https://github.com/awslabs/git-secrets +- AWS Blog: https://aws.amazon.com/blogs/security (search "git-secrets") diff --git a/plugins/secrets-scanner/docs/gitleaks-reference.md b/plugins/secrets-scanner/docs/gitleaks-reference.md new file mode 100644 index 0000000..ab83332 --- /dev/null +++ b/plugins/secrets-scanner/docs/gitleaks-reference.md @@ -0,0 +1,179 @@ +# Gitleaks CLI Reference + +> Source: https://github.com/gitleaks/gitleaks +> Latest Version: v8.30.0 (November 2025) +> License: MIT + +## Overview + +Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, API keys, and tokens in git repositories, files, and stdin. + +## Installation + +```bash +# macOS +brew install gitleaks + +# Docker +docker pull zricethezav/gitleaks:latest + +# Binary (Linux x64) +curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks +``` + +## Commands + +### gitleaks git + +Scan git repositories using git log history. + +``` +gitleaks git [flags] +``` + +**Flags:** +- `--log-opts ` - Git log options (e.g., `--all`, `--since=2023-01-01`) +- `--pre-commit` - Scan staged changes only (for pre-commit hooks) +- `--staged` - Alias for --pre-commit + +### gitleaks dir (aliases: files, directory) + +Scan directories and files. + +``` +gitleaks dir [path] [flags] +``` + +**Flags:** +- `--no-git` - Treat directory as plain files (not a git repo) +- `--follow-symlinks` - Follow symbolic links + +### gitleaks stdin + +Scan content from standard input. + +``` +echo "secret=AKIAIOSFODNN7EXAMPLE" | gitleaks stdin +``` + +## Global Flags + +| Flag | Short | Description | +|------|-------|-------------| +| `--config` | `-c` | Path to config file | +| `--exit-code` | | Exit code when leaks found (default: 1) | +| `--report-format` | `-f` | Output format: json, csv, junit, sarif | +| `--report-path` | `-r` | Path to save report | +| `--baseline-path` | `-b` | Path to baseline file for comparison | +| `--verbose` | `-v` | Show verbose output | +| `--redact` | | Redact secrets (0-100, percentage) | +| `--no-banner` | | Suppress banner | +| `--log-level` | `-l` | Log level: trace, debug, info, warn, error, fatal | +| `--max-target-megabytes` | | Skip files larger than this | + +## Configuration File (.gitleaks.toml) + +```toml +title = "Gitleaks Config" + +# Extend default rules +[extend] +useDefault = true + +# Custom rule +[[rules]] +id = "custom-secret" +description = "Custom Secret Pattern" +regex = '''(?i)my_secret_key\s*=\s*['"]?([a-zA-Z0-9]{32})['"]?''' +keywords = ["my_secret_key"] +entropy = 3.5 +secretGroup = 1 + +# Rule-specific allowlist +[[rules]] +id = "generic-password" +regex = '''password\s*=\s*['"]([^'"]+)['"]''' + [rules.allowlist] + paths = ['''test/.*'''] + regexes = ['''password123''', '''testpassword'''] + +# Global allowlist +[allowlist] +description = "Global Allowlist" +paths = [ + '''\.env\.example$''', + '''test/.*''', + '''docs/.*''' +] +commits = ["abc123"] # Ignore specific commits +regexes = ['''EXAMPLE_.*'''] # Ignore matching content +``` + +## Common Usage Examples + +```bash +# Basic scan of current repo +gitleaks git -v + +# Scan with JSON report +gitleaks git -v --report-format json --report-path report.json + +# Scan directory (not git) +gitleaks dir /path/to/files --no-git + +# Scan with custom config +gitleaks git -v --config .gitleaks.toml + +# Scan only new issues (baseline comparison) +gitleaks git --baseline-path baseline.json --report-path new.json + +# Scan staged changes (pre-commit) +gitleaks git --pre-commit -v + +# Generate SARIF for GitHub Security +gitleaks git --report-format sarif --report-path results.sarif + +# Scan all branches +gitleaks git -v --log-opts="--all" + +# Redact secrets in output +gitleaks git -v --redact=100 +``` + +## Exit Codes + +- `0` - No leaks found +- `1` - Leaks found (or error, configurable via --exit-code) + +## Environment Variables + +- `GITLEAKS_CONFIG` - Path to config file +- `GITLEAKS_CONFIG_TOML` - Config content as string + +## Pre-commit Integration + +Add to `.pre-commit-config.yaml`: + +```yaml +repos: + - repo: https://github.com/gitleaks/gitleaks + rev: v8.30.0 + hooks: + - id: gitleaks +``` + +## GitHub Action + +```yaml +- uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +``` + +## Resources + +- Repository: https://github.com/gitleaks/gitleaks +- Releases: https://github.com/gitleaks/gitleaks/releases +- GitHub Action: https://github.com/gitleaks/gitleaks-action +- Documentation: https://gitleaks.io +- Playground: https://gitleaks.io/playground diff --git a/plugins/secrets-scanner/docs/trufflehog-reference.md b/plugins/secrets-scanner/docs/trufflehog-reference.md new file mode 100644 index 0000000..cd5a77f --- /dev/null +++ b/plugins/secrets-scanner/docs/trufflehog-reference.md @@ -0,0 +1,259 @@ +# TruffleHog CLI Reference + +> Source: https://github.com/trufflesecurity/trufflehog +> Latest Version: v3.92.5 (January 2025) +> License: AGPL-3.0 + +## Overview + +TruffleHog finds, verifies, and analyzes leaked credentials. It supports 800+ secret types and can verify if discovered credentials are still active. + +## Installation + +```bash +# macOS +brew install trufflehog + +# Install script +curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin + +# Docker +docker pull trufflesecurity/trufflehog:latest + +# Binary (Linux amd64) +curl -sSfL https://github.com/trufflesecurity/trufflehog/releases/download/v3.92.5/trufflehog_3.92.5_linux_amd64.tar.gz | tar -xz -C /usr/local/bin +``` + +## Commands + +### git + +Scan git repositories. + +```bash +trufflehog git [options] +``` + +**URL formats:** +- `file://.` - Local repository +- `https://github.com/owner/repo.git` - Remote via HTTPS +- `git@github.com:owner/repo.git` - Remote via SSH + +### filesystem + +Scan directories/files (non-git). + +```bash +trufflehog filesystem [options] +``` + +### github + +Scan GitHub organizations/repositories. + +```bash +trufflehog github [options] +``` + +**Options:** +- `--org=` - Scan organization +- `--repo=` - Scan specific repo +- `--token=` - GitHub token (or GITHUB_TOKEN env) +- `--issue-comments` - Include issue comments +- `--pr-comments` - Include PR comments +- `--gists` - Include gists + +### s3 + +Scan AWS S3 buckets. + +```bash +trufflehog s3 [options] +``` + +**Options:** +- `--bucket=` - Bucket name +- `--role-arn=` - IAM role for access + +### gcs + +Scan Google Cloud Storage. + +```bash +trufflehog gcs [options] +``` + +### docker + +Scan Docker images. + +```bash +trufflehog docker --image= +``` + +**Options:** +- `--image=` - Image name with tag + +### postman + +Scan Postman workspaces. + +```bash +trufflehog postman --token= --workspace= +``` + +### jenkins + +Scan Jenkins servers. + +```bash +trufflehog jenkins --url= +``` + +### elasticsearch + +Scan Elasticsearch clusters. + +```bash +trufflehog elasticsearch --nodes= +``` + +## Global Options + +| Option | Description | +|--------|-------------| +| `--json` | Output as JSON | +| `--only-verified` | Only show verified (active) secrets | +| `--results=` | Filter: verified, unknown, unverified | +| `--fail` | Exit 183 if secrets found (for CI) | +| `--no-verification` | Disable verification (faster) | +| `--concurrency=` | Number of concurrent workers | +| `--exclude-paths=` | File with paths to exclude | +| `--include-paths=` | File with paths to include | + +## Git-Specific Options + +| Option | Description | +|--------|-------------| +| `--branch=` | Scan specific branch | +| `--since-commit=` | Start from commit | +| `--max-depth=` | Maximum commit depth | +| `--bare` | Scan bare repository | + +## Verification Feature + +TruffleHog uniquely **verifies** if secrets are active by: +1. Testing credentials against the actual service +2. Reporting verification status + +**Verification statuses:** +- `verified` - Confirmed active/working credential +- `unknown` - Could not verify (service unavailable, etc.) +- `unverified` - Tested and not working (rotated/invalid) + +## Common Usage Examples + +```bash +# Scan local git repo +trufflehog git file://. + +# Scan with JSON output +trufflehog git file://. --json + +# Only verified (active) secrets +trufflehog git file://. --only-verified + +# Verified + unknown confidence +trufflehog git file://. --results=verified,unknown + +# Scan remote repo +trufflehog git https://github.com/owner/repo.git + +# Scan specific branch +trufflehog git file://. --branch=main + +# Scan since commit +trufflehog git file://. --since-commit=abc123 + +# Scan directory (non-git) +trufflehog filesystem /path/to/files + +# Scan GitHub org +export GITHUB_TOKEN="ghp_xxxx" +trufflehog github --org=my-org + +# Scan S3 bucket +trufflehog s3 --bucket=my-bucket + +# Scan Docker image +trufflehog docker --image=myregistry/myimage:latest + +# CI mode (fail if secrets found) +trufflehog git file://. --fail --only-verified +``` + +## Docker Usage + +```bash +# Scan current directory +docker run --rm -v "$(pwd):/repo" trufflesecurity/trufflehog:latest git file:///repo + +# Scan with verification +docker run --rm -v "$(pwd):/repo" trufflesecurity/trufflehog:latest git file:///repo --only-verified + +# Scan remote repo +docker run --rm trufflesecurity/trufflehog:latest git https://github.com/owner/repo.git +``` + +## Path Exclusions + +Create `exclude.txt`: +``` +test/ +*.test.js +node_modules/ +vendor/ +.env.example +``` + +Use: +```bash +trufflehog git file://. --exclude-paths=exclude.txt +``` + +## Supported Secret Types (800+) + +Categories include: +- **Cloud providers**: AWS, GCP, Azure +- **Version control**: GitHub, GitLab, Bitbucket +- **Communication**: Slack, Discord, Twilio +- **Payment**: Stripe, Square, PayPal +- **Database**: PostgreSQL, MySQL, MongoDB connection strings +- **SaaS**: Sendgrid, Mailchimp, Datadog +- **Crypto**: Private keys, SSH keys, PGP keys +- And many more... + +## Exit Codes + +- `0` - No secrets found +- `183` - Secrets found (when using `--fail`) +- `1` - Error occurred + +## GitHub Action + +```yaml +- uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: main + head: HEAD + extra_args: --only-verified +``` + +## Resources + +- Repository: https://github.com/trufflesecurity/trufflehog +- Releases: https://github.com/trufflesecurity/trufflehog/releases +- Documentation: https://trufflesecurity.com/trufflehog +- Enterprise: https://trufflesecurity.com +- Community: Slack and Discord available